Internet service providers put user privacy at risk

Will ISPs drive a gaping hole through internet security for the sake of advertising revenues?

There has been a great deal of commotion recently about Phorm, a company that aims to help advertisers better target consumers by monitoring their web browsing habits. At first glance, what Phorm is proposing seems absolutely outrageous and quite possibly illegal under UK data protection laws. Take a closer look, and Phorm’s technology is more subtle than it might appear , but no less dangerous and insidious for all that.

The fuss over Phorm comes from the fact that it is in partnership with three of the UK’s biggest ISPs - ­ BT, Virgin Media and Talk Talk from the Carphone Warehouse ­ - to use its service on their networks. It has also transpired that BT undertook small-scale trials of the technology last year without the consent of the customers involved, and without even bothering to inform them they were being used as guinea pigs.

Many online advertising services already track user behaviour to a certain extent, but most of the legitimate ones do little more than place a cookie onto the computer that is examined every time the user visits a web site serving ads from that company. The ad service therefore gains an idea of which kind of web sites people are visiting, and how often.

The Phorm service has the potential to be much, much more intrusive. It operates by having equipment installed in the ISP’s network that intercepts all web traffic passing along every customer’s broadband connection, and scans through it for key words that can be used to deliver targeted advertising.

The key phrase here is “deep packet inspection”. Phorm sifts through every packet traversing TCP Port 80 and analyses it minutely. The difference between other advert-tracking services and this approach can be likened to the difference between checking which phone numbers someone has called and actually listening in to every word of every conversation.

Not surprisingly, this has many privacy advocates up in arms. To be fair to Phorm, it contends that its service does not store any of the information it analyses, and it claims to operate in a way that does not identify individual users. From my understanding of the system, it generates a profile that is associated with a cookie on a particular user’s computer. When that user visits a web site affiliated with Phorm, adverts are delivered according to this profile.

However, I believe that this technology sets a worrying precedent ­ that intercepting private communications is perfectly acceptable for commercial purposes. And once the facility to intercept traffic exists, who knows what it might be used for in future?

At the moment, there is no suggestion that Phorm might be used to snoop on business traffic, but that doesn’t mean that it won’t affect businesses. If any of your employees work from home with web-based applications, and their broadband is supplied by BT, Virgin Media or Talk Talk, then you are already facing the possibility that your data will be intercepted and analysed by Phorm in the near future.

Phorm thus represents an unacceptable security and privacy risk, and it may even have a negative impact on e-commerce once the wider public learns about it. After all, if you knew for sure that all of your web traffic was being scrutinised, wouldn’t you have second thoughts about entering your credit card or bank details into an online sales form?

And what happens if you are a victim of online fraud and your ISP is one of those signed up with Phorm? Would your bank or credit card company cite this as a risk you should have avoided ­ - and therefore use it as an excuse to deny you compensation?

One thing is for sure - ­ 2008 is already turning out to be a bad year for internet privacy and security.